IT Security News Blast 4-19-2017

When completing an application for cyberinsurance, it is critical that the applicant provide a candid assessment of its privacy and security practices and protocols. In Columbia Casualty v. Cottage Health System, Cottage Health was sued by a class of its prior patients whose ePHI were negligently made accessible through the internet. The class settled the underlying litigation with Cottage for $4 million dollars. Although Columbia defended Cottage and paid the settlement, it later filed a declaratory action demanding reimbursement relying in part on an exclusion named, “Failure to Follow Minimum Required Practices.”

In the last year, half of American small businesses have been breached by hackers. That includes Meridian Health in Muncie, Indiana, where 1,200 workers’ W-2 forms were stolen when an employee was duped by an email purporting to come from a top company executive. Many small companies are just one fraudulent wire transfer away from going out of business. […] Here’s how more companies can boost their cybersecurity preparedness without breaking the bank.

It’s the second breach that IHG, a multinational hotel conglomerate that counts Holiday Inn and Crowne Plaza among its chains, has disclosed this year. The company acknowledged in February that a credit card breach affected 12 of its hotels and restaurants. […] Like most forms of payment card malware these days, IHG said the variant on their system siphoned track data – customers’ card number, expiration date, and internal verification code – from the magnetic strip of cards as they were routed through affected hotel servers.

While just over half (53%) of organizations plan on increasing IT spending overall this year, 69% said they are increasing spending on cybersecurity. As far as cybersecurity spending goes, 48% will make their most significant cybersecurity technology investments in cloud security, 39% will in network security, 30% in endpoint security, and 29% in security analytics. Respondents were asked which business outcomes were their highest priorities for this year. The top three results were as follows: 43% said “reducing costs,” 40% said “increasing productivity,” and 39% said “improving information security.”

How Shifting Government Policies Affect Your Company’s Cybersecurity Program

The new administration has been in high gear, introducing and repealing legislation that could impact your cybersecurity planning. If you’re keeping a scorecard, here’s where things are: internet privacy and immigrants are out, while cybersecurity for small businesses is on its way in. How do these changes affect your organization?

Kudos to investigators at Al Jazeera who went undercover, approaching three companies on behalf of the governments of Iran and South Sudan – and found it all too easy to buy surveillance technology that could be used to spy on the countries’ citizens. Of course, shipping surveillance and spying equipment to authoritarian regimes breaks international sanctions, as the devices could be used to spy upon activists, political rivals and dissidents.. and could potentially lead to them being interrogated, tortured or even killed.

Inside the ‘Stalkerware’ Surveillance Market, Where Ordinary People Tap Each Other’s Phones

Morgan Marquis-Boire is a security researcher who has spent months digging into the consumer spyware industry, and has seen it used in domestic violence cases first hand. He has also spent years researching spyware used by governments. For him, the former kind of surveillance, which can be also called stalkerware or spouseware, deserves more attention because it’s more common and widespread than many may think, and “the victims are everyday people,” he said.

Sometimes known as distributed analytics, it basically means designing systems where analytics is performed at the point where (or very close to where) the data is collected. Often, this is where action based on the insights provided by the data is most needed. Rather than designing centralized systems where all the data is sent back to your data warehouse in a raw state, where it has to be cleaned and analyzed before being of any value, why not do everything at the “edge” of the system?

The number of people who are concerned about their security, and are ready to protect themselves against cyber threats, is constantly growing, according to Kaspersky Lab’s Cybersecurity Index – a set of indicators that allow the evaluation of the level of risk for Internet users worldwide. The Index is based on an online survey of Internet users around the world, conducted by Kaspersky Lab twice a year. In the second half of 2016, 17,377 respondents from 28 countries were surveyed.

The survey showed that 94% of security professionals expect the frequency of mobile attacks to increase rapidly over the next year. However, just 38% of respondents stated their organisations use a mobile security solution other than mobile device management or enterprise mobile management to protect against attacks. The issue needs to be addressed at boardroom level.

The need for training and developing a corporate culture that prioritizes cybersecurity becomes clear through the answers to two of Wombat’s survey questions, in particular. Only 65 percent of respondents could properly define phishing. And when it came to understanding ransomware, 52 percent would not even hazard a guess as to what the word meant. Amy Baker, Wombat’s vice president of marketing, says one way to entice a workforce to be receptive to instruction is to keep the lessons short and use a carrot. Plus, a little comedy never hurts.

During a recent experimental exercise, the U.S. Army put a pair of specially equipped dune buggies through a series of tests. Though the two vehicles’ main job is to find and knock out small drones[.] […] And then there’s the matter of mobile cyber warfare. The Killer vehicle reportedly has undefined “cyber” capabilities and the ability to direct unspecified space-based systems. According to the Army, a soldier might eventually be able to call in a cyber attack just like an artillery strike.

Stop asking people for their passwords, rights warriors yell at US Homeland Security

In an open letter to DHS secretary John Kelly, the group argues that by forcing travelers from some countries to give border patrol agents free rein on their devices and social networks, the DHS is violating human rights and putting folks at risk of abuse. “Please reject any proposal to require visa applicants, refugees, or other foreign visitors to provide passwords for online accounts, including social media, in order to enter the United States,” the letter asks of Kelly.

The Massive Monopolies of Google, Facebook and Amazon, and Their Role in Destroying Privacy, Producing Inequality and Undermining Democracy

The upshot is that the dominant philosophy of Silicon Valley became heavily based on the radical libertarian ideology of Ayn Rand. […] As their “relentless pursuit of efficiency leads these companies to treat all media as commodity,” according to Taplin, “the real value lies in the gigabytes of personal data scraped from your profile as you pursue the latest music video, news article or listicle.”

Many police forces have admitted to receiving ever increasing numbers of complaints from the public worried about drones flying over their property. They see it as an invasion of their privacy and are asking the police to take action against the drones’ owners. However, it goes far further than just privacy. There have also been reports of burglars using drones equipped with First Person View to survey a house before entering.

Facebook was the subject of harsh criticism for allowing itself to be used by two Russian intelligence services – the GRU and the FSB – in their broad campaign of fake news in the summer and fall 2016, undertaken to help Donald Trump win the November election. The company has taken action to prevent Russia and other actors from engaging in a similar campaign in France, where the first round of the presidential election is to be held on Sunday, 23 April. Facebook said it has targeted 30,000 fake accounts linked to France as part of a global effort against misinformation.

The demonstrated keylogging attacks are most useful at guessing digits in four-digit PINs, with a 74-percent accuracy the first time it’s entered and a 94-percent chance of success on the third try. The same technique could be used to infer other input, including the lock patterns many Android users rely on to lock their phones, although the accuracy rates would probably be different. The attacks require only that a user open a malicious webpage and enter the characters before closing it. The attack doesn’t require the installation of any malicious apps.

Experts have long known the risks associated with charging a smartphone using a USB cord that can also transfer data, but new research shows that even without data wires, hackers using a “side channel” can quickly find out what websites a user has visited while charging a device. Researchers warn that “a malicious charging station” can use seemingly unrelated data—in this case, a device’s power consumption—to extract sensitive information.

Unfortunately, there are always some users that will fail to spot any of these red flags, and will click on the offered links. They will be taken to a website where they are instructed to upload their CVs. […] “Your CV contains a wealth of personal data which a cybercriminal uses to make a profit at your expense,” Heimdal Security’s Paul Cucu explains.

A recently discovered Hidden Tear ransomware offspring is being sold on underground forums as a Ransomware-as-a-Service (RaaS), priced at just $175, Recorded Future researchers reveal. Dubbed Karmen, the malware appears to have been around since December 2016, when incidents involving it were reported in Germany and the United States. However, the threat started being advertised on underground forums only in March. […] Unlike other similar threats, however, the malware automatically deletes the decryptor when detecting a sandbox environment or analysis software.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.